From Axel.Mueller at t-systems.com Thu Jan 4 02:14:12 2007 From: Axel.Mueller at t-systems.com (Axel.Mueller at t-systems.com) Date: Thu, 4 Jan 2007 11:14:12 +0100 Subject: [SA-exim] Delete old Spam Mails Message-ID: <6FB6A628C2AD884BBECED1416712D04D02482A38@S4DE8PSAALE.t-systems.com> Hello! I've set in sa-exim.conf the setting SAmaxarchivebody: 20971520 But my Mail"archive" is now about 30 MB. Is a cron job necessary to delete the old mails? -- Mit freundlichen Gruessen! Axel Mueller From gregh at hillnet.us Thu Jan 4 07:30:41 2007 From: gregh at hillnet.us (Greg Hill) Date: Thu, 4 Jan 2007 08:30:41 -0700 (MST) Subject: [SA-exim] Delete old Spam Mails In-Reply-To: <6FB6A628C2AD884BBECED1416712D04D02482A38@S4DE8PSAALE.t-systems.com> References: <6FB6A628C2AD884BBECED1416712D04D02482A38@S4DE8PSAALE.t-systems.com> Message-ID: On Thu, 4 Jan 2007 Axel.Mueller at t-systems.com wrote: > I've set in sa-exim.conf the setting > > SAmaxarchivebody: 20971520 > > But my Mail"archive" is now about 30 MB. Is a cron job necessary to > delete the old mails? I think maybe there's a misunderstanding about the effect of this setting (it isn't described well in the sa-exim.conf comments). After looking at the function int savemail(int readfd, char *filename, int SAmaxarchivebody) in http://marc.merlins.org/linux/exim/files/local_scan/local_scan.c_1.2, it appears that this setting limits size of each message -- in other words, only the first ~20 MB (in this case) of any message will be written. It doesn't limit how many such messages will exist, and so it doesn't limit the total archive size on disk. Yes, I think a cron job to delete old stuff would be appropriate. Greg From david at colossus.apana.org.au Fri Jan 5 03:43:41 2007 From: david at colossus.apana.org.au (David Fisher) Date: Fri, 5 Jan 2007 22:43:41 +1100 Subject: [SA-exim] SA-EXIM on 64 bit linux systems In-Reply-To: <200612241239.41537@proffe.kibibyte.se> References: <458C9AD9.3060309@innozyt.pl> <200612241239.41537@proffe.kibibyte.se> Message-ID: <200701052243.41316.david@colossus.apana.org.au> On Sunday 24 December 2006 22:39, Magnus Holmgren wrote: > On Saturday 23 December 2006 03:56, Czesiek wrote: > > Is it possible to compile and run sa-exim on 64 bit Linux systems? > > At least the sa-exim Debian package builds on the amd64 architecture. > I haven't tried running it though. I have it running on this machine, a Debian sid amd64 machine. It works perfectly. -- David It's time to reconsider your thoughts about the iron carbon double diagram. From tsexton at sc.younglife.org Fri Jan 5 08:42:38 2007 From: tsexton at sc.younglife.org (Tim Sexton) Date: Fri, 05 Jan 2007 09:42:38 -0700 Subject: [SA-exim] SA-EXIM on 64 bit linux systems In-Reply-To: <200701052243.41316.david@colossus.apana.org.au> References: <458C9AD9.3060309@innozyt.pl> <200612241239.41537@proffe.kibibyte.se> <200701052243.41316.david@colossus.apana.org.au> Message-ID: <459E7FFE.8040407@sc.younglife.org> An HTML attachment was scrubbed... URL: http://lists.merlins.org/archives/sa-exim/attachments/20070105/b2b812c9/attachment.htm From david at colossus.apana.org.au Fri Jan 5 13:42:04 2007 From: david at colossus.apana.org.au (David Fisher) Date: Sat, 6 Jan 2007 08:42:04 +1100 Subject: [SA-exim] SA-EXIM on 64 bit linux systems In-Reply-To: <459E7FFE.8040407@sc.younglife.org> References: <458C9AD9.3060309@innozyt.pl> <200701052243.41316.david@colossus.apana.org.au> <459E7FFE.8040407@sc.younglife.org> Message-ID: <200701060842.05029.david@colossus.apana.org.au> On Saturday 06 January 2007 03:42, Tim Sexton wrote: > I have it running on Suse 10oss? 64bit.?? Had to compile from > source, but works fine. > > TS > > David Fisher wrote: > On Sunday 24 December 2006 22:39, Magnus Holmgren wrote: > > On Saturday 23 December 2006 03:56, Czesiek wrote: > > Is it possible to compile and run sa-exim on 64 bit Linux systems? > > At least the sa-exim Debian package builds on the amd64 architecture. > I haven't tried running it though. > > > I have it running on this machine, a Debian sid amd64 machine. > It works perfectly. Perhaps I should have added that I am running it from the Debian package, a very neat installation. The packagers have done a superb job. Pat on the back to 'em. -- David It's time to reconsider your thoughts about the iron carbon double diagram. From holmgren at lysator.liu.se Tue Jan 9 16:45:00 2007 From: holmgren at lysator.liu.se (Magnus Holmgren) Date: Wed, 10 Jan 2007 01:45:00 +0100 Subject: [SA-exim] The greylisting plugin Message-ID: <200701100145.05518@proffe.kibibyte.se> As you may or may not know, I'm the new maintainer of the sa-exim Debian package. As you also may or may not know, sa-exim (the package) is designed such that SpamAssassin doesn't have to be installed on the same machine as SA-Exim and of course Exim. Except if you want to use the greylisting module for SpamAssassin, that is, unless you manually copy Greylisting.pm to the right place, which isn't too hard to do but it's not pretty and it's not Right. The greylisting code exists as a SA plugin (and a patch for ancient SA versions) for two reasons, AFAIU: It's easier to code in Perl and it also makes the module usable with other software. But it also has drawbacks; in particular the X-SA-Exim-* headers that have to be added by the local_scan code before sending the mail to SA, and that can't be removed if report_safe is used. To fix the packaging I'll have to split the package into two, plus a transitional metapackage by the original name. I would rather write the greylisting code in C and drop the SA plugin. So what I want to ask now is whether anyone is using the greylisting plugin without the main SA-Exim local_scan() plugin. Hm, well, I guess you can continue doing so in that case. Any other comments? -- Magnus Holmgren holmgren at lysator.liu.se (No Cc of list mail needed, thanks) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20070110/b5737c16/attachment.pgp From marc at merlins.org Tue Jan 9 17:04:26 2007 From: marc at merlins.org (Marc MERLIN) Date: Tue, 9 Jan 2007 17:04:26 -0800 Subject: [SA-exim] The greylisting plugin In-Reply-To: <200701100145.05518@proffe.kibibyte.se> References: <200701100145.05518@proffe.kibibyte.se> Message-ID: <20070110010426.GJ22603@merlins.org> On Wed, Jan 10, 2007 at 01:45:00AM +0100, Magnus Holmgren wrote: > As you may or may not know, I'm the new maintainer of the sa-exim Debian > So what I want to ask now is whether anyone is using the greylisting plugin > without the main SA-Exim local_scan() plugin. Hm, well, I guess you can You probably wouldn't find any such folks here, but that said, I've never heard of any, so it wouldn't be the end of the world if greylisting ended up directly in sa-exim. It'll just make the code longer and somewhat harder to maintain than the existing perl version. That said, writing it is the biggest portion of the job, so once that's done, the rest won't be as bad in comparison. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : http://lists.merlins.org/archives/sa-exim/attachments/20070109/6399797b/attachment.pgp From tim at uksolutions.co.uk Wed Jan 10 09:29:45 2007 From: tim at uksolutions.co.uk (Timothy Arnold) Date: Wed, 10 Jan 2007 17:29:45 +0000 Subject: [SA-exim] Spam being let through. Message-ID: <45A52289.6010208@uksolutions.co.uk> Hi, Has anyone seen this before? The spam is being let through, even though the score is over 5. X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on av-1 X-Spam-Status: Yes, score=5.6 required=5.0 tests=AWL,FUZZY_OCR_KNOWN_HASH, FUZZY_OCR_WRONG_EXTENSION,HTML_10_20,HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=3.1.7 Here is the part of the exim configuration which should drop the message # Reject spam messages with score over 5, using an extra condition. drop message = This message has a spam score of $spam_score points spam = nobody:true condition = ${if >={$spam_score_int}{50}{1}{0}} I've configured Spamassassin on a central server and set sa-exim to use the remote server. Is this likely to cause issues? Any thoughts? Cheers Tim From dermot at sciencephoto.com Wed Jan 10 09:46:47 2007 From: dermot at sciencephoto.com (Beginner) Date: Wed, 10 Jan 2007 17:46:47 -0000 Subject: [SA-exim] Spam being let through. In-Reply-To: <45A52289.6010208@uksolutions.co.uk> References: <45A52289.6010208@uksolutions.co.uk> Message-ID: <45A52687.10235.209E68D5@dermot.sciencephoto.com> i am no expert but I thought that this was set in /etc/exim4/sa- exim.conf (or wherever you have you exim installed) SApermreject: 5.0 Dp. On 10 Jan 2007 at 17:29, Timothy Arnold wrote: > Hi, > > Has anyone seen this before? The spam is being let through, even though > the score is over 5. > > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on av-1 > X-Spam-Status: Yes, score=5.6 required=5.0 tests=AWL,FUZZY_OCR_KNOWN_HASH, > FUZZY_OCR_WRONG_EXTENSION,HTML_10_20,HTML_MESSAGE,MIME_HTML_ONLY > autolearn=no version=3.1.7 > > Here is the part of the exim configuration which should drop the message > > # Reject spam messages with score over 5, using an extra condition. > drop message = This message has a spam score of $spam_score points > spam = nobody:true > condition = ${if >={$spam_score_int}{50}{1}{0}} > > I've configured Spamassassin on a central server and set sa-exim to use > the remote server. Is this likely to cause issues? > > Any thoughts? > > Cheers > Tim > > > > > _______________________________________________ > SA-Exim mailing list > SA-Exim at lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim From holmgren at lysator.liu.se Wed Jan 10 10:16:19 2007 From: holmgren at lysator.liu.se (Magnus Holmgren) Date: Wed, 10 Jan 2007 19:16:19 +0100 Subject: [SA-exim] Spam being let through. In-Reply-To: <45A52289.6010208@uksolutions.co.uk> References: <45A52289.6010208@uksolutions.co.uk> Message-ID: <200701101916.26178@proffe.kibibyte.se> On Wednesday 10 January 2007 18:29, Timothy Arnold wrote: > Has anyone seen this before? The spam is being let through, even though > the score is over 5. > > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on av-1 > X-Spam-Status: Yes, score=5.6 required=5.0 tests=AWL,FUZZY_OCR_KNOWN_HASH, > FUZZY_OCR_WRONG_EXTENSION,HTML_10_20,HTML_MESSAGE,MIME_HTML_ONLY > autolearn=no version=3.1.7 > > Here is the part of the exim configuration which should drop the message > > # Reject spam messages with score over 5, using an extra condition. > drop message = This message has a spam score of $spam_score points > spam = nobody:true > condition = ${if >={$spam_score_int}{50}{1}{0}} Er, If you use SA-Exim to call SpamAssassin, you have to configure the thresholds in sa-exim.conf. SA-Exim runs *after* all the ACLs. If you use the built-in content scanning ACL conditions and variables you don't need SA-Exim. -- Magnus Holmgren holmgren at lysator.liu.se (No Cc of list mail needed, thanks) "Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack)" -- Dave Evans -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20070110/60700d04/attachment-0001.pgp From holmgren at lysator.liu.se Sat Jan 13 05:37:07 2007 From: holmgren at lysator.liu.se (Magnus Holmgren) Date: Sat, 13 Jan 2007 14:37:07 +0100 Subject: [SA-exim] Greylisting algorithms after end of DATA Message-ID: <200701131437.11483@proffe.kibibyte.se> Traditional greylisting combines the remote host, envelope sender, and envelope recipient and checks if that triplet has been seen before (not too long ago but also at least some time ago) after each RCPT command. (Correct me if I'm wrong.) The advantage is that it saves bandwidth. Running SpamAssassin after end of DATA but before accepting the mail gives the advantage that greylisting can be applied only to grey mail - the delaying of clearly non-spam mail can be avoided. It also means that e.g. the Message-ID can be considered when determining whether we have seen the message before. In fact, nothing prevents us from using an arbitrary set of header fields (such as Subject, Message-ID, From) in constructing the key, if it gives better confidence in what we want to know: whether the other end retries after a temporary failure. (We could even accept delivery and whitelist based on a partial match, say 3 of 4, to better cope with the braindead mail servers that unfortunately exist.) After we have determined that it does, there's no reason to greylist further mail. (Well, there might be a reason to delay mail from new senders at large ESPs like Hotmail, if that means that URIs in the spam get the time to end up in URIBLs. This is open to discussion.) So, what I suggest for a future SA-Exim version (and to anyone implementing something similar using only Exim ACLs is this): For each host (or /24 or /64 network), store a list of records representing messages that host has tried to deliver. A record contains a timestamp and a key, which could be a hash of $rh_From:, $rh_Subject:, $recipients (but see below) etc. When a message matches an existing record, check the timestamp, and if enough time has passed, replace the whole list with "whitelisted" (if not, do nothing). (Most of the time, just one message arrives before the host gets whitelisted.) One question to be solved is about $recipients. The envelope recipients have to be checked since a spammer can send the same spam to many addresses but with the same From: field. Most often there is only one recipient, and even otherwise, normally the list is the same from delivery attempt to delivery attempt, but it could change if one or more recipients were temporarily rejected on one occasion but not the other. Furthermore, it can't be demanded that MTAs give the list in the same order each time. When storing the list of attempted deliveries in a file I'd prefer if the file didn't have to be rewritten, only appended to. Maybe it can be deemed enough if one recipient is found in the list of recipients of the first delivery attempt. Comments please! -- Magnus Holmgren holmgren at lysator.liu.se (No Cc of list mail needed, thanks) "Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack)" -- Dave Evans -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20070113/3ea3904c/attachment.pgp From zelin at dac.hu Thu Jan 18 01:36:43 2007 From: zelin at dac.hu (DOMA Peter) Date: Thu, 18 Jan 2007 10:36:43 +0100 Subject: [SA-exim] SA-exim uses only tempreject Message-ID: <45AF3FAB.8030601@dac.hu> Hi, I have a problem with an Exim 4.63 and SA-exim 4.2.1 installation. I set the following threshold levels: SA: Debug3: expanded SAdevnull = 20.00 SA: Debug3: expanded SApermreject = 12.00 SA: Debug3: expanded SAtempreject = 9.00 However, the only action SA-exim does is tempreject: SA: Action: temporarily rejected message: score=26.0 required=5.5 trigger=9.0 (scanned in 9/9 secs | Message-Id: 000b01c73a57_17428670_6400a8c0@[...]). From <[...]> (host=xxxxxxxx.xxxxxx.xxx [xxx.xxx.xxx.xxx]) for xxxxx at xxx.xx Is there any solution to get SAdevnull and SApermreject working ? Thanks in advance, Peter From holmgren at lysator.liu.se Sat Jan 20 14:04:10 2007 From: holmgren at lysator.liu.se (Magnus Holmgren) Date: Sat, 20 Jan 2007 23:04:10 +0100 Subject: [SA-exim] Greylisting algorithms after end of DATA In-Reply-To: <200701131437.11483@proffe.kibibyte.se> References: <200701131437.11483@proffe.kibibyte.se> Message-ID: <200701202304.22173@proffe.kibibyte.se> On Saturday 13 January 2007 14:37, Magnus Holmgren wrote: > So, what I suggest for a future SA-Exim version (and to anyone implementing > something similar using only Exim ACLs is this): For each host (or /24 or > /64 network), store a list of records representing messages that host has > tried to deliver. A record contains a timestamp and a key, which could be a > hash of $rh_From:, $rh_Subject:, $recipients (but see below) etc. When a > message matches an existing record, check the timestamp, and if enough time > has passed, replace the whole list with "whitelisted" (if not, do nothing). > (Most of the time, just one message arrives before the host gets > whitelisted.) > > One question to be solved is about $recipients. The envelope recipients > have to be checked since a spammer can send the same spam to many addresses > but with the same From: field. Most often there is only one recipient, and > even otherwise, normally the list is the same from delivery attempt to > delivery attempt, but it could change if one or more recipients were > temporarily rejected on one occasion but not the other. Furthermore, it > can't be demanded that MTAs give the list in the same order each time. > > When storing the list of attempted deliveries in a file I'd prefer if the > file didn't have to be rewritten, only appended to. Maybe it can be deemed > enough if one recipient is found in the list of recipients of the first > delivery attempt. No comments (on this list) so far. One more question: Does anyone use the Whitelisted count and Query count lines in the tuple files for anything (debugging, statistics, ...)? -- Magnus Holmgren holmgren at lysator.liu.se (No Cc of list mail needed, thanks) "Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack)" -- Dave Evans -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20070120/b78f40c6/attachment.pgp From harroun at gmail.com Mon Jan 22 14:59:14 2007 From: harroun at gmail.com (John Bro) Date: Mon, 22 Jan 2007 23:59:14 +0100 Subject: [SA-exim] undefined vars in Greylisting.pm Message-ID: <783c3ee00701221459s7884d271ge34bfc7d2a00ce20@mail.gmail.com> Hello all, I just joined, because I just started using SA-Exim and spamd, and greylisting on my home mail server (Debian Etch) (where I'm the only user), and although it seems to be performing quite nicely (i.e. spam is being blocked, greylisted messages get through when they should, or get dumped when they're spam)... There are a couple complaints (documented below) that have me stumped. Each message produces these complaints from perl: Jan 22 21:02:03 jhbro spamd[3013]: Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 176, line 57. Jan 22 21:02:03 jhbro spamd[3013]: Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 177, line 57. and each time, the same 2 messages 2 seconds later. The lines of Greylisting.pm in question are as follows: 172: $connectip =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/; 173: my ($ipbyte1, $ipbyte2, $ipbyte3, $ipbyte4) = ($1, $2, $3, $4); 174: my $ipdir1 = "$option{'dir'}/$ipbyte1"; 175: # -------------------------- 176: my $ipdir2 = "$ipdir1/$ipbyte2"; 177: my $ipdir3 = "$ipdir2/$ipbyte3"; So clearly, something in the regexp coming up empty. Also, sometimes, (although not at exactly the same time) I see this problem: Jan 22 21:25:59 jhbro spamd[3013]: Couldn't get Connecting IP header X-SA-Exim-Connect-IP for message , skipping greylisting call The absence of a connectip/Connect-IP seems to relate the two complaints.. but I see headers for SA-Exim-Connect-IP in the message, and the Received headers contain IP numbers.. I don't get it. Finally, one more completely independent issue: (that I probably should have put in a separate message.. I can't figure out how to configure things such that rejected messages do not generate an attempt to bounce to the (? always) bogus From: address. It would appear that I am accepting messages rather than rejecting them at SMTP time, and thus exim things it has to send back an "undeliverable". Where have I enabled this?? For the moment it causes no serious problems because I can't figure out how to get properly authenticated to my smarthost with exim either! (while. pine talks authenticated esmtps directly to the smarthost with no problems). So, when exim4 tries to bounce a message, the smarthost refuses, so no innocent bystanders are getting hit with collateral spam. But, the day I figure out the auth problem, I'll need a solution to the bouncing problem. If somebody can help me figure this stuff out, I'll be very grateful. - John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.merlins.org/archives/sa-exim/attachments/20070122/176b90ca/attachment.htm From dave123 at burtonsys.com Fri Jan 26 10:30:19 2007 From: dave123 at burtonsys.com (David Burton) Date: Fri, 26 Jan 2007 13:30:19 -0500 (EST) Subject: [SA-exim] SA timeout In-Reply-To: <60cfbd050512071634u428cd9dbh1a7ccbf953f0a503@mail.gmail.com> Message-ID: <9RmHcJvcwapi@burtonsys.com> Aaron Stromas wrote on Wed Dec 7 16:34:10 PST 2005: > On 12/7/05, Bob Amen wrote: > > > > Aaron Stromas wrote: > > > > > Hi, > > > > > > All of the sudden I'm getting spam delivered to mailboxes. When I > > > examine the headers I see SA timeout: > > > > > > *X-SA-Exim-Connect-IP:* 59.82.130.46 > > > *X-SA-Exim-Mail-From:* Mason.Alford at wildmail.com > > > < > > https://www.izoard.com/mail/src/compose.php?send_to=Mason.Alford%40wildmail.com > > > > > > *X-SA-Exim-Scanned:* No (on localhost.localdomain); SA Timed out after > > > 240 secs > > > Why would this happen? (Restarting exim does not seem to have helped) > > > > > > Check that your spamd is running. You might also want to run > > "spamassassin -D --lint" just to make sure everything is OK with your SA > > config files. > > > Thanks. It's spampd (proxy daemon). It was running. > > -a Did you ever solve this, Aaron? I also get frequent SA timeouts. The result is that the spams show up in my mailbox with headers like these: .... X-SA-Exim-Mail-From: gixriqdvhqk at com.mx X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on BurtonSys.com X-Spam-Report: * 2.0 MOSTLY_SPAM_TOADDR1 Sent to a burtonsys.com address that gets * mostly spam * 0.9 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date * 0.8 INFO_TLD URI: Contains an URL in the INFO top-level domain * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.3 HTML_FONT_BIG BODY: HTML tag for a big font size * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see ] * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: royal-casinos.info] * 3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: royal-casinos.info] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: royal-casinos.info] * 3.3 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: royal-casinos.info] * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: royal-casinos.info] * -2.7 AWL AWL: From: address is in the auto white-list X-Spam-Status: Yes, score=15.5 required=2.0 tests=AWL,DATE_IN_PAST_12_24, HTML_FONT_BIG,HTML_MESSAGE,INFO_TLD,MIME_HTML_ONLY, MOSTLY_SPAM_TOADDR1,RCVD_IN_BL_SPAMCOP_NET,URIBL_AB_SURBL, URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.1.5 Subject: [SPAM 15.5] Hi X-Spam-Prev-Subject: Hi X-SA-Exim-Version: 4.2.1 (built Mon, 19 Jun 2006 12:05:49 -0400) X-SA-Exim-Scanned: Yes (on burtonsys.com) X-SA-Exim-Scanned: No (on burtonsys.com); SA Timed out after 290 secs The only problem that "spamassassin --lint" reports is: [31915] warn: config: failed to parse line, skipping: _ (Unfortunately, it doesn't give an indication of WHICH line it thinks contains a bare underscore. In fact, there is no such line in local.cf. In fact, the only single-character lines in local.cf consist of just a single '#' (comment) character. So I've been ignoring this issue, and I doubt that it is connected with the SA timeouts.) Any ideas, anyone? -Dave dave123 at burtonsys dot com From jgtez at previtep.com.mx Fri Jan 26 11:16:51 2007 From: jgtez at previtep.com.mx (=?utf-8?Q?Jos=C3=A9_de_Jes=C3=BAs_Guti=C3=A9rrez_Ram=C3=ADrez?=) Date: Fri, 26 Jan 2007 13:16:51 -0600 Subject: [SA-exim] SA: Action: spamd took more than ... In-Reply-To: <783c3ee00701221459s7884d271ge34bfc7d2a00ce20@mail.gmail.com> Message-ID: Hi, The message "SA: Action: spamd took more than 240 secs to run, accepting message" started to appears yesterday in the mainlog, but I don't know what do I have to check to eliminate this issue. I've restarted exim and updated spamassasin and still showing the message. Somebody can give me a clue? TIA Jesus Gutierrez -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.merlins.org/archives/sa-exim/attachments/20070126/9ad2721e/attachment-0001.htm From j.capel at ogd.nl Fri Jan 26 11:25:09 2007 From: j.capel at ogd.nl (Jasper Capel) Date: Fri, 26 Jan 2007 20:25:09 +0100 Subject: [SA-exim] SA: Action: spamd took more than ... In-Reply-To: References: Message-ID: <45BA5595.3040305@ogd.nl> Have you checked /var/log/maillog for SpamAssassin output? Does the "spamassassin --lint -D" command give you any useful leads? Kind regards, Jasper Capel Jos? de Jes?s Guti?rrez Ram?rez wrote: > Hi, > > The message "SA: Action: spamd took more than 240 secs to run, > accepting message" started to appears yesterday in the mainlog, but I > don't know what do I have to check to eliminate this issue. I've > restarted exim and updated spamassasin and still showing the message. > > Somebody can give me a clue? > > TIA > > Jesus Gutierrez > > > > ------------------------------------------------------------------------ > > _______________________________________________ > SA-Exim mailing list > SA-Exim at lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > From jgtez at previtep.com.mx Fri Jan 26 12:01:08 2007 From: jgtez at previtep.com.mx (=?utf-8?Q?Jos=C3=A9_de_Jes=C3=BAs_Guti=C3=A9rrez_Ram=C3=ADrez?=) Date: Fri, 26 Jan 2007 14:01:08 -0600 Subject: [SA-exim] SA: Action: spamd took more than ... In-Reply-To: <45BA5595.3040305@ogd.nl> Message-ID: Running spamassassin --lint -D The only suspicious I have is the following: dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 I this an error on my system? or I get this message because I run the test with the root user instead of the Debian-exim user? BTW the bayes files whitelist is 10mb and I have almost 20 expire files around 5mb, are these size files normal? I have to tell my system run on a Celeron 300mhz 96mb ram, I know is small but it was working fine for near 2 years until yersterday. TIA -----Mensaje original----- De: sa-exim-bounces+jgtez=previtep.com.mx at lists.merlins.org [mailto:sa-exim-bounces+jgtez=previtep.com.mx at lists.merlins.org]En nombre de Jasper Capel Enviado el: Viernes, 26 de Enero de 2007 01:25 p.m. Para: sa-exim at lists.merlins.org Asunto: Re: [SA-exim] SA: Action: spamd took more than ... Have you checked /var/log/maillog for SpamAssassin output? Does the "spamassassin --lint -D" command give you any useful leads? Kind regards, Jasper Capel Jos? de Jes?s Guti?rrez Ram?rez wrote: > Hi, > > The message "SA: Action: spamd took more than 240 secs to run, > accepting message" started to appears yesterday in the mainlog, but I > don't know what do I have to check to eliminate this issue. I've > restarted exim and updated spamassasin and still showing the message. > > Somebody can give me a clue? > > TIA > > Jesus Gutierrez > > > > ------------------------------------------------------------------------ > > _______________________________________________ > SA-Exim mailing list > SA-Exim at lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > _______________________________________________ SA-Exim mailing list SA-Exim at lists.merlins.org http://lists.merlins.org/lists/listinfo/sa-exim From marc at merlins.org Sun Jan 21 23:57:26 2007 From: marc at merlins.org (Marc MERLIN) Date: Mon, 22 Jan 2007 18:57:26 +1100 Subject: [SA-exim] Greylisting algorithms after end of DATA In-Reply-To: <200701202304.22173@proffe.kibibyte.se> References: <200701131437.11483@proffe.kibibyte.se> <200701202304.22173@proffe.kibibyte.se> Message-ID: <20070122075726.GB7014@merlins.org> On Sat, Jan 20, 2007 at 11:04:10PM +0100, Magnus Holmgren wrote: > > When storing the list of attempted deliveries in a file I'd prefer if the > > file didn't have to be rewritten, only appended to. Maybe it can be deemed > > enough if one recipient is found in the list of recipients of the first > > delivery attempt. > > No comments (on this list) so far. One more question: Does anyone use the > Whitelisted count and Query count lines in the tuple files for anything > (debugging, statistics, ...)? That's indeed what I've put it there for, but I never personally used it Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : http://lists.merlins.org/archives/sa-exim/attachments/20070122/60a75889/attachment.pgp From marc at merlins.org Mon Jan 29 20:53:37 2007 From: marc at merlins.org (Marc MERLIN) Date: Mon, 29 Jan 2007 20:53:37 -0800 Subject: [SA-exim] SA timeout In-Reply-To: <9RmHcJvcwapi@burtonsys.com> References: <60cfbd050512071634u428cd9dbh1a7ccbf953f0a503@mail.gmail.com> <9RmHcJvcwapi@burtonsys.com> Message-ID: <20070130045337.GD22611@merlins.org> On Fri, Jan 26, 2007 at 01:30:19PM -0500, David Burton wrote: > Aaron Stromas wrote on Wed Dec 7 16:34:10 PST 2005: > > > On 12/7/05, Bob Amen wrote: > > > > > > Aaron Stromas wrote: > > > > > > > Hi, > > > > > > > > All of the sudden I'm getting spam delivered to mailboxes. When I > > > > examine the headers I see SA timeout: > > > > > > > > *X-SA-Exim-Connect-IP:* 59.82.130.46 > > > > *X-SA-Exim-Mail-From:* Mason.Alford at wildmail.com > > > > < > > > https://www.izoard.com/mail/src/compose.php?send_to=Mason.Alford%40wildmail.com > > > > > > > > *X-SA-Exim-Scanned:* No (on localhost.localdomain); SA Timed out after > > > > 240 secs > > > > Why would this happen? (Restarting exim does not seem to have helped) > > > > > > > > > Check that your spamd is running. You might also want to run > > > "spamassassin -D --lint" just to make sure everything is OK with your SA > > > config files. > > > > > > Thanks. It's spampd (proxy daemon). It was running. > > > > -a > > > Did you ever solve this, Aaron? I used to have time logging information in spamassassin so you could find out after the fact why it SA would ever take more than 4mn. Unfortunately, some of that code was removed from more recent SAs, but you should still be able to find why SA is taking so long by feeding the message from the command line while being in debug mode. Either way, this is most likely a problem just with SA, not with Exim or SA-Exim. > I also get frequent SA timeouts. The result is that the > spams show up in my mailbox with headers like these: > > .... > X-SA-Exim-Mail-From: gixriqdvhqk at com.mx > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on BurtonSys.com > X-Spam-Report: > * 2.0 MOSTLY_SPAM_TOADDR1 Sent to a burtonsys.com address that gets > * mostly spam > * 0.9 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date > * 0.8 INFO_TLD URI: Contains an URL in the INFO top-level domain > * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > * 0.3 HTML_FONT_BIG BODY: HTML tag for a big font size > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > * [Blocked - see ] > * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist > * [URIs: royal-casinos.info] > * 3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist > * [URIs: royal-casinos.info] > * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist > * [URIs: royal-casinos.info] > * 3.3 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist > * [URIs: royal-casinos.info] > * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist > * [URIs: royal-casinos.info] > * -2.7 AWL AWL: From: address is in the auto white-list > X-Spam-Status: Yes, score=15.5 required=2.0 tests=AWL,DATE_IN_PAST_12_24, > HTML_FONT_BIG,HTML_MESSAGE,INFO_TLD,MIME_HTML_ONLY, > MOSTLY_SPAM_TOADDR1,RCVD_IN_BL_SPAMCOP_NET,URIBL_AB_SURBL, > URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL > autolearn=disabled version=3.1.5 > Subject: [SPAM 15.5] Hi > X-Spam-Prev-Subject: Hi > X-SA-Exim-Version: 4.2.1 (built Mon, 19 Jun 2006 12:05:49 -0400) > X-SA-Exim-Scanned: Yes (on burtonsys.com) > X-SA-Exim-Scanned: No (on burtonsys.com); SA Timed out after 290 secs > > > The only problem that "spamassassin --lint" reports is: > > [31915] warn: config: failed to parse line, skipping: _ > > (Unfortunately, it doesn't give an indication of WHICH line > it thinks contains a bare underscore. In fact, there is no > such line in local.cf. In fact, the only single-character > lines in local.cf consist of just a single '#' (comment) > character. So I've been ignoring this issue, and I doubt > that it is connected with the SA timeouts.) > > Any ideas, anyone? > > -Dave > dave123 at burtonsys dot com > > _______________________________________________ > SA-Exim mailing list > SA-Exim at lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ From timothy.arnold at uksolutions.co.uk Wed Jan 10 09:20:59 2007 From: timothy.arnold at uksolutions.co.uk (Timothy Arnold) Date: Wed, 10 Jan 2007 17:20:59 -0000 Subject: [SA-exim] Spam still being let through Message-ID: <45A52046.2090706@uksolutions.co.uk> Hi, Has anyone seen this before? The spam is being let through, even though the score is over 5. X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on av-1 X-Spam-Status: Yes, score=5.6 required=5.0 tests=AWL,FUZZY_OCR_KNOWN_HASH, FUZZY_OCR_WRONG_EXTENSION,HTML_10_20,HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=3.1.7 Here is the part of the exim configuration which should drop the message # Reject spam messages with score over 5, using an extra condition. drop message = This message has a spam score of $spam_score points spam = nobody:true condition = ${if >={$spam_score_int}{50}{1}{0}} I've configured Spamassassin on a central server and set sa-exim to use the remote server. Is this likely to cause issues? Any thoughts? Cheers Tim From timothy.arnold at uksolutions.co.uk Fri Jan 12 02:26:38 2007 From: timothy.arnold at uksolutions.co.uk (Timothy Arnold) Date: Fri, 12 Jan 2007 10:26:38 -0000 Subject: [SA-exim] Spam being let through. In-Reply-To: <200701101916.26178@proffe.kibibyte.se> References: <45A52289.6010208@uksolutions.co.uk> <200701101916.26178@proffe.kibibyte.se> Message-ID: <45A76246.4020402@uksolutions.co.uk> Hi, I see. It looks like we use sa-exim and exiscan. Thanks for the clarification. Tim Magnus Holmgren wrote: > On Wednesday 10 January 2007 18:29, Timothy Arnold wrote: > >> Has anyone seen this before? The spam is being let through, even though >> the score is over 5. >> >> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on av-1 >> X-Spam-Status: Yes, score=5.6 required=5.0 tests=AWL,FUZZY_OCR_KNOWN_HASH, >> FUZZY_OCR_WRONG_EXTENSION,HTML_10_20,HTML_MESSAGE,MIME_HTML_ONLY >> autolearn=no version=3.1.7 >> >> Here is the part of the exim configuration which should drop the message >> >> # Reject spam messages with score over 5, using an extra condition. >> drop message = This message has a spam score of $spam_score points >> spam = nobody:true >> condition = ${if >={$spam_score_int}{50}{1}{0}} >> > > Er, If you use SA-Exim to call SpamAssassin, you have to configure the > thresholds in sa-exim.conf. SA-Exim runs *after* all the ACLs. If you use the > built-in content scanning ACL conditions and variables you don't need > SA-Exim. > > > ------------------------------------------------------------------------ > > _______________________________________________ > SA-Exim mailing list > SA-Exim at lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > -- UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Tel: 08700 681 333 - Fax: 01527 851 301 timothy.arnold at uksolutions.co.uk - www.uksolutions.co.uk From chris at ex-parrot.com Sun Jan 14 05:22:28 2007 From: chris at ex-parrot.com (Chris Lightfoot) Date: Sun, 14 Jan 2007 13:22:28 -0000 Subject: [SA-exim] [exim] Greylisting algorithms after end of DATA In-Reply-To: <200701131437.11483@proffe.kibibyte.se> References: <200701131437.11483@proffe.kibibyte.se> Message-ID: On Sat, Jan 13, 2007 at 02:37:07PM +0100, Magnus Holmgren wrote: > In fact, nothing prevents us from using an arbitrary set of header fields > (such as Subject, Message-ID, From) in constructing the key, if it gives > better confidence in what we want to know: whether the other end retries > after a temporary failure. (We could even accept delivery and whitelist based Identifying messages in this way is obviously in some sense not adequate, since you can always put any message-ID on any message; and some messages don't have message-IDs at all. I don't know whether that level of sophistication will matter versus the current behaviour of spammers. If it does then looking at the kinds of hashes that things like `Vipul's Razor' use is probably a good idea. -- ``Odd things, animals. Dogs look up to you. Cats look down to you. Only pigs see you as an equal.'' (Churchill) From jon.armitage at hepworthband.co.uk Sat Jan 27 09:48:05 2007 From: jon.armitage at hepworthband.co.uk (Jonathan Armitage) Date: Sat, 27 Jan 2007 17:48:05 +0000 Subject: [SA-exim] SA timeout In-Reply-To: <9RmHcJvcwapi@burtonsys.com> References: <9RmHcJvcwapi@burtonsys.com> Message-ID: <45BB9055.60401@hepworthband.co.uk> >>> Aaron Stromas wrote: >>> >>>> Hi, >>>> >>>> *X-SA-Exim-Scanned:* No (on localhost.localdomain); SA Timed out after >>>> 240 secs >>>> Why would this happen? (Restarting exim does not seem to have helped) >>> I had this issue some months ago, and eventually decided that, at busy times, too many spamd daemons were running simultaneously, resulting in them swapping. I limited the number of daemons that could run simultaneously with --max-children, which helped. Jon From holmgren at lysator.liu.se Tue Jan 30 03:50:56 2007 From: holmgren at lysator.liu.se (Magnus Holmgren) Date: Tue, 30 Jan 2007 12:50:56 +0100 Subject: [SA-exim] Spam still being let through In-Reply-To: <45A52046.2090706@uksolutions.co.uk> References: <45A52046.2090706@uksolutions.co.uk> Message-ID: <200701301251.02542@proffe.kibibyte.se> On Wednesday 10 January 2007 18:20, Timothy Arnold wrote: > Has anyone seen this before? The spam is being let through, even though > the score is over 5. > > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on av-1 > X-Spam-Status: Yes, score=5.6 required=5.0 tests=AWL,FUZZY_OCR_KNOWN_HASH, > FUZZY_OCR_WRONG_EXTENSION,HTML_10_20,HTML_MESSAGE,MIME_HTML_ONLY > autolearn=no version=3.1.7 These header fields are added by SA-Exim, > Here is the part of the exim configuration which should drop the message > > # Reject spam messages with score over 5, using an extra condition. > drop message = This message has a spam score of $spam_score points > spam = nobody:true > condition = ${if >={$spam_score_int}{50}{1}{0}} but again, this has *nothing* do with SA-Exim. Even though the scores should probably be approximately the same, there's no guarantee. > I've configured Spamassassin on a central server and set sa-exim to use > the remote server. Is this likely to cause issues? No, how you configured SA-Exim has absolutely no impact on how Exim's built-in code calls SpamAssassin. That's controlled by the spamd_address option in exim.conf. Or yes, if you haven't set spamd_address that could explain why the results differ. To see exactly what score the spam condition gives you have to add some add_header and/or logwrite modifier. Please pick *one* of SA-Exim and the built-in spam ACL conditions. There is no reason to use both. Basically, if you want to use the report_safe feature, use SA-Exim. SA-Exim also lets the add_header and rewrite_header in local.cf work, so that you don't have to configure Exim to mimic the header you get when you run spamassassin from the command line or procmail. Otherwise go with the build-in spam conditions. If you decide to stay with SA-Exim, drop the drop stanza from the ACL. Also delete all other spamassassin-related stanzas. However, you might want to set some ACL variables to control SA-Exim. -- Magnus Holmgren holmgren at lysator.liu.se (No Cc of list mail needed, thanks) "Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack)" -- Dave Evans -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.merlins.org/archives/sa-exim/attachments/20070130/1dc8351c/attachment.pgp